Shellcode on ARM architecture

Introduction to the ARM architecture

The ARM architecture was originally conceived for a computer sold by Acorn.
It morphed to then become an independent offer in the market of Embedded Computing.
ARM is the acronym for Advanced Risk Machine, formerly known as Acorn Risk Machine.

The most famous core is the ARM7TDMI which is graced with 3 pipeline levels.
The ARM7TDMI even has a second set of instructions called THUMB which allows 16-bits
addressing, and significant memory gains especially in the field of embedded computing.
The ARM architecture is also quite present in the field of Mobile Computing. Numerous
operating systems have been ported to that architecture. A non-exhaustive list includes:
Linux (used by Maemo on the N900 and Android on the Nexus One), Symbian S60 with the
Nokia N97 or Samsung Player HD, iPhone with the iPhone and iPad and Windows Mobile.

ARM Ltd followed up by releasing the ARM9 core which shifted to a five stage pipeline,
reducing the number of logical operations per clock cycle and therefore nearly doubling
the clock frequency.

ARM/Linux shellcode: first attempt

For the remainder of this document, all tests are assumed to be running on a ARM926EJ-S core.
Let's start by having a look at the register conventions.

When compiling, please use "-mthumb" to indicate that we are switching to "Thumb Mode". The astute
reader will have noticed that I have changed the value of the constant being added to r1. Instead
of the original "add r1, #24", I'm doing "add r1, #12" since we have now switched to "thumb mode",
the address where my chain is at, has been halved. Let's see what that gives us in terms of null bytes.

That's better, all that we have left now to do is to modify the following instructions: "svc 0"
and "sub r0, r0, r0".

For SVC we will use "svc 1" which is perfect in this case.
For "sub r0, r0, r0", the goal is to place 0 in register r0, however we cannot do a "mov r0, #0"
as that will include a null byte. The only trick so far that I have come across is: